Logins for 8,700 FTP servers found on sale

Criminals have assembled a huge database of hacked FTP server logins belonging to some of the world’s leading companies, a security company has revealed.

By
John E Dunn
| Feb 27, 2008

Share

TwitterFacebookLinkedInGoogle Plus

Criminals have assembled a huge database of hacked FTP server logins belonging to some of the world’s leading companies, a security company has revealed.

Finjan said it had stumbled upon a database containing account usernames, passwords and server addresses for a staggering 8,700 FTP servers, many of which were being used by US Fortune 100-level enterprises.

The hacked servers could be used to distribute crimeware by injecting iframe tags into any webpage stored on the compromised FTP servers. Indeed the server accounts were themselves being traded by a web application able to rank and price them according to their Google page rank for re-sale to other criminals.

The company found the database while examining what appears to be a sophisticated Russian crimeware hub built using a newer version of the Neosploit crimeware toolkit, sophisticated enough to offers its criminal users a SaaS (software as a service) interface for carrying out attacks.

The company didn’t name the domains involved for obvious reasons, but the range of sectors and countries reads like a who’s who of big business. FTP details for telecoms, media, online retail, and government agencies were all present, across every leading economy and beyond.

Using the Alexa.com domain ranking, Finjan found 10 of the top 100 domains in the database, 100 of the top 500 domains, and 50 of those between 500 and 1,000.

Related

Breaking these down by location, 2,621 were in the US, 1,247 in Russia, 392 in Australia, 354 in Asia/Pacific. The rest were covered Eastern Europe, with only a handful in western European countries such as Germany and the UK, which accounted for 80 and 78, respectively.

"With this new trading application, cyber-criminals have an instant 'solution' to their problem of gaining access to FTP credentials and thus infecting both the legitimate websites and unsuspecting visitors,” said Finjan’s Yuval-Ben Itzhak.

“If your FTP server credentials are on the list, criminals may use it to add crimeware on to your site, so people visiting your site will get infected with crimeware and may sue you,” he said.

“The solution: start by changing your FTP server password, frequently.” Finjan would only confirm whether a particular company was on the database if that company contacted the company, he said. Details of the full report on the FTP hack can be found on Finjan’s website.

Earlier this month, the FTP server belonging to the Forth Estuary Transport Authority (FETA) was hacked, allowing criminals to server malware from the website of the famous UK landmark, the Forth Road Bridge near Edinburgh.